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A METHOD AMD A SYSTEM FOR RESPONDING TO A RRff TTBCT ,.no 
ACCESS TO AN APPUCATION SBRVICE 

Technical Field 

The present invention relates to a method and a 
server for responding to a request for access to an 
application aervice, which service is deployed in a 
S system that associates specific areas of a position coded 
surface with corresponding application services. 

Backgroun d of the Invention 

The applicant of the present invention has developed 
a system infrastructure in which use is made of products 
having writing surfaces that are provided with a position 
code. Digital devices, preferably in the form of digital 
pans, are used for writing on the writing surface while 
at the same time being able to detect positions of the 
position coded surface. The digital device detects the 
position code by means of a sensor and calculates 
positions corresponding to written pen strokes. 

An area of the position code, such as an area 
associated with a product, typically has one or more 
activation icons, also known as magic boxes, which, when 
detected by the digital device, cause the pen to initiate 
a respective predetermined operation which utilises the 
information recorded by the device from the position 
coded surface. 

More specifically, the position-coded surface has a 
built-in functionality, in that different positions on a 
confined area o£ the surface on a product, such as 
posxtions Within the activation icon and positions within 
the writing surface, are dedicated for different 
functions. The position code is capable 6f coding co- 
ordxnates of a large number of positions, much larger 
than the number of necessary positions on a surface area 
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of one single product. Thus, the position code can be 
seen as forming a virtual surface which is defined by all 
positions that the position code is capable of coding, 
different positions on the virtual surface being 
dedicated for different functions, or services, and/ or 
actors , 



^ The system includes, in addition to the digital 

devices and a plurality of position coded products, at 
least one look-up server running a service called a paper 
10 look-up service, PLS, and a plurality of application 

servers acting as actors or Application Service Handlers 
ASH in the syscem and executing application services. 

The look-up server uses a database to manage the 
virtual surface defined by the position code and the 
15 information related to this virtual surface, i.e. the 
functionality of every position on the virtual surface 
and the actor associated with each such position. 
^ Different areas, or regions, on the virtual surface are 

by the paper look-up service associated with respective 
20 particulars and/or data by means of management rules.. In 
response to receipt of information from a digital device, 
which information corresponds to at least one position on 
the virtual surface, the PLS is arranged to identify to 
which area the coordinates of the position or positions 
: 25 belong and to determine how the information is- to be 

: managed based on the management rules for that area. 

"' : The application server is a server effecting a 

service on behalf of a digital device, such as storing or 
relaying digital information, initiating transmission of 
.— . 30 information or items to a recipient etc. 

The above described position coded surface and the 
*•-'. overall system with its operation and its , enabling 

support of various functions and services to digital 
devices are further described in the published patent 
35 applications WO 01/48591, WO 01/48678 and WO 01/48685, 

all of which have been filed by the present applicant and 
all of which are incorporated herein by reference. It is 
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to be noted that other types of position codes are 
equally possible within the scope of the present 
invention. 

The above described system is beneficial for an 
5 enterprise or an government authority that wants to use 
the functionality of the system for improving internal 
processes and workflows* By using the described system, 
an enterprise will be able to turn information entered by 
means of pen and paper into useful digital data. Such a 

10 process for transferring paper based information to 
digital data will save the enterprise a considerable 
amount of labour and time, and in the end a considerable 
amount of money. 

However, there are some drawbacks associated with 

15 the above system if an enterprise wants to adopt the 
system while at the same time, for security reasons / 
retaining full control over its ueage. Some of these 
drawbacks can be derived from the fact that the above 
described paper lock-up service is a global service, i,e, 

20 a global paper look-up service, 6-PLS, that services a 
number of different actors and that is operated by am 
external party, typically by the party determining the 
allocation of different areas of the position coded 
surface to different functions and different actors. 

25 The enterprise can gain more or less full control 

over any application services which are for exclusive use 
by the enterprise and its associated pens if the 
application services are hosted on e*g« am intranet, 
without any participation of the global paper look-up 

30 service in the execution of the specific application 

sezrvice. However, the enterprise would still be dependent 
on an established communication with the global FLS, such 
as over the Internet, in order for the look-ups from the 
digital devices, or pens, to be managed correctly and in 

35 order to direct a device to a specific application 

service. Thus, the enterprise will not be in control of 
general digital device usage, such as look-ups being 
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performed/ nor will it then be able to control ^^1*"^"*^*^" '^^^ 
digital device's stccees to externally available services, 
eince such services could be accessed by the digital 
devices via the global PLS. 

5 

Summaxry of the Invention 

An object of the present invention is to provide a 
method and a server that offers an enterprise increased 
control and security. In terms of general syebein usage 
10 and service usage^ when adopting the principles of a 

position coded paper based system of the kind described 
above. 

According to the invention, this object is achieved 
by a method having the features as defined in independent 

15 claim 1 and by an entieirprise paper look-up server having 
the features as defined in independent claim 17. 
Preferred embodiments of the Invention are defined in the 
dependent claims « 

The invention is based on the idea that instead of 

20 relying on a global paper look-up service for managing 
information controlling and invoking application 
services, an enterprise paper look-up service is provided 
which manages a confined set o£ enterprise application 
sexrvices associated with respective areas included by the 

25 overall position coded surface. When receiving a request 
that includes address information of such an area, the 
enterprise paper look-up service, E-PLS, checks if the 
area address is associated with a service that the E-PLS 
manages- If this is not the case, the request is routed 

30 to a second paper look-up service • 

This solution provides a nuinber of advantages. Th^ 
solution improves security since it enables the 
enterprise paper look-up service to operate independently 
of the global PLS, and therefore only requires 

35 communication within an internal network of the 

enterprise, to which network one or more enteacprise paper 
look-up services and servers executing enterprise 



3. JAN2003 14:55 AWAPATENT_+468440955(^ MR. 4627 S. / 

AWAPATEMT Ukto^.^«. 

" 7 ■. -: , C c 

application services are connected. Thus, the enterprise 
does not need to cononunicate with a global PLS over the 
Internet. By not including Internet resources in the 
solution the security and control of the system Is not 
5 jeopardized. Should it be desired to be able to 

conununicate with the global PLS, such communication can 
be greatly restricted and carefully monitored by means of 
communication via an enterprise firewall. Also^ the 
system can more easily be adapted to any existing 

10 security framework of the enterprise. 

Furthermore; the enterprise will be in full control 
over what services that can be accessed by the digital 
devices, €uid thus in full control over the usage of the 
digital devices in the system. It is the enterprise that 

15 on its own determines what confined set of services that 
are managed by the enterprise look-up service and what 
specific further look-up service a service request may be 
routed to. In addition to that this gives the entea^prise 
control over what services that are, and can be, used, it 

20 also facilitates the control of costs generated by the 
system usage. The solution enables an enterprise 
centralized administration, and enables introduction of 
new services and maintenance of service to be perfomed 
easily and efficiently by the enterprise, since the 

25 services are managed centrally and provided so as to be 
accessible to all digital devices associated with the 
enterprise. 

Advantageously, the B-PLS checks if an originator of 
a request for access to a services has the right to route 

30 a request via the present E-PLS to a second PLS, before 
such routing is performed. The right may be controlled 
by, e-g., different security levels associated with the 
services of the second PLS or the second PLS in itself. 
This second PLS may be an B-PLS of another organisational 

35 part of the same enterprise, an E-PLS of another 
enterprise, or the global PLS. Thus, regardless of 
whether the originator is a digital pen or another B-PLS, 
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this makes it possible to enable, or disable^ ttoie access 
to an E-PLS of another organisational part of the same 
enterprise, an E*PLS of another enterprise, or to the 
global PLS if such a communication path is possible. 
5 Furthermore, the E-FL8 advantageously checks/ if the 

received request for access to a service is determined to 
relate to a service managed by the B-PLS itself, that the 
digital device has the right to access this specific 
service, before greuiting access to the service - Thus , the 
10 enterprise will be able to control what digital device^ 
or group of digital devices, that is/are allowed to 
access what service* Similarly, the B-PLS may check if a 
certain other B-PLS has the right to route a request for 
access to a service managed by the B-PLS in case the 
15 request is received from such other B-PLS • 

Further features and advantages of the invention 
will become more readily apparent from the following 
detailed description of a nutrtber of exenqplifying 
einbodimente of the invention* As is understood, various 
20 modifications, alterations and different combinations of 
features coming within the spirit and scope of the 
invention will become apparent to those skilled in the 
art when studying the general teaching set forth herein 
and the following detailed description. 

25 

Brief Description of the Drawings 
]* Exemplifying embodiments of the present invention 

will now be described with reference to the accompanying 
: drawings, in which: 

30 Pig- 1 schematically shows an exemplifying system 

• infrastructure developed by the applicant of the present 

invention; 

'} Fig. 2 schematically shows a system which includes 

an exemplifying embodiment of the present invention; 
35 Fig. 3 shows an enterprise paper look-up server in 

accordance with an exemplifying embodiment of the 
invention; 
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Pig. 4 schematically shows an exemplifying overall 
operation which includes the operation of an embodiment 
o£ the invention; and 

Fig. 5 Is a flow chart o£ the operation in 
5 accordance with an exemplifying embodiment of the 
invention. 

Detailed Description of the Invention 

Pig. 1 shows the system infrastructure developed by 

10 the applicant of the. present invention. .This 

Infrastructure has been described above in the baclcground 
section and will be further described below. 

The system in Fig. 1 comprises digital pens 100 
implementing digital devices and a plurality of products 

15 110 with a position code (not shown) covering a writing 
surface 120 and an activation icon 125. In the figure / 
only one digital pen and one product are shown. The 
system further comprises a network connection unit 130, a 
paper look-up server 140 running a paper look-up service, 

20 PLS, an application server 150 running an application 
service of a third party and an application server 160 
running a number of standardized application services in 
the system. In Pig. 1 the network connection unit 130 is 
exemplified with a mobile station, however, the unit 130 

25 could alternatively be a personal digital assistant (PDA) 
or some other suitable electronic device. Typically, the 
described system will in addition to a plurality of 
digital devices 100 and products 110 include a plurality 
of network connection units 130 and a plurality of 

30 application servers 150, 160, 

By detecting symbols of the coding pattern on the 
product 110, the digital pen is able to determine one or 
more eddsolute co-ordinates of the total, virtual surface 
that can be coded by the coding pattern. 

35 The total surface is advantageously divided into a 

number of segments, each segment being divided into a 
number of shelves, each shelf being divided into a nurober 
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of books / and each book being divided into a nutnber of 
pages. An absolute co-ordiziate will by the digital pen be 
determined to be located on a certain page. The page may 
be identified using the format 1.2.3.4 
5 (segment .shelf .book. page) , which denotes page 4 of book 
3, on shelf 2, in segment 1. This notation defines a page 
address. An area address may typically be defined by a 
page address. However^ an area address may also define a 
larger area by means of a book address, e.g. 1.2.3.x^ 
10 where x denotes all pages of the specific book, a shelf 
address, 1.2.x.x, or a segment address, 1.x. x.x. It is to 
be understood that other addressing schemes are eitually 
possible and that such addressing schemes also would fall 
within the scope of the present invention. 
15 When the user moves the digital pen 100 across the 

surface of the product 110, information is recorded by 
detecting positions on the surface and determining the 
corresponding absolute co-ordinates. This is accomplished 
by means of a sensor and various memory and processing 
20 circuitary included within the pen 100 . These absolute co- 
ordinates, or the area address, typically the page 
address, to which the co-ordinates belong, are 
communicated via the mobile station 130, a mobile 
communications network 170 and the Internet 180 to the 
25 paper look-up service 140. Alternatively, the co- 
ordinates are communicated to a local paper look-up 
service running on a personal computer, PC, 190 in the 
close neighbourhood of the digital pen. If the personal 
computer and the digital pen are equipped with Bluetooth® 
30 transceivers, the digital pen 100 may communicate 
directly with the PC running the local PLS. 

The local PX»S 190 Is responsible for managing and 
providing local Standardized application services, such 
as an e-mail application, a calendar application, an 
35 application for taking notes etc. The local PC 150 stores 
particulars about co-ordinates and pages of one or more 
confined surface areas and manages services on behalf of 
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one or a very limited nutnber of digital pens. The paper 
look-up service running on server 140 on the other hand 
is global and stores, in a memory or in a connected data 
base (not shown) , particulars about all the co-ordinates 
5 of the total sxirface. This also includes storing 

particulars about the pages in which the total surface is 
divided. Both the global and the local paper look-up 
service process received information, which at least 
include co-ordinate content or page address content, in 
10 accordance with the tnanagement rules that have been 

associated with a particular co-ordinate or a particular 
page address. 

For a user of a digital pen, the system is simple to 
use as the user does not himself need to define how 

15 recorded information/positions are to be managed. When 
the user initiates a communication session for 
transmission of information, the management of this 
information is controlled based on the co-ordinates that 
the user records and/or the page address on which the 

20 information was recorded by means of the digital pen 100* 
When the user of the digital pen 100 wishes to 
initiate transmission of information he '^ticks'' the 
activation icon 125. The recording of at least one 
position of the activation icon will then be recognised 

25 by the digital pen 100 as a co-ordinate of a send area, 
which send area is associated with a particular isend 
instruction. By default, this send instruction includes 
the address of a predefined paper look-up service, either 
the global service of server 140 or the local service of 

30 the PC 190. Alternatively, two send areas may exist, one 
associated with the global service and one with the local 
service . 

The digital pen 100 and the global/local paper look- 
up service communicate by means of a pen protocol which 
35 is a proprietary protocol of the applicant of the present 
invention. For a more detailed description of the pen 
protocol and the communication between a digital pen and 
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a paper look-up service reference is m&de to the patent 
application PCT/SE02/01332/ which is incorporated herein 



by reference. 

Fig- 2 schematically shows a system which includes 

S an embodiment of the present invention. The system shows 
a hierarchical configuration with three enterprise paper 
look-up seanrers 200, 210, 220, executing respective 
enterprise paper look-up services E-PItfll, B-PLS2/ E-PLS3# 
and three application servers 205, 21S, 225, executing 

10 respective confined sets of enterprise application 
services E-ASli E-AS2, E-AS3« 



application services. Typically, an enterprise paper 
15 look-up service manages enterprise application services 
that are executed on an application server which is 
connected to the server of the enterprise paper look-up 
service over a local area network. Thus, B-PLSl, with 
which pens 207 are registered, and which executes on 
20 server 200, manages E-ASl executing on server 205, and E«- 
PLS2, with which pens 217 are registered, manages E-AS 2, 
and so on. 

Fig. 2 also depicts a global paper look-up server 
230 executing a global paper look-up service, G-PLS, and 

25 an application server 235 executing application services 
which also can be regarded as being global, and therefore 
denoted G-AS. In the figure, E-PIiS2 is able to 
communicate with the 0-PLS over an enterprise firewall 
240 and the Internet 250. 

30 The operation of an entearprise paper look-up service 

is similar to that of the global paper look-up service, 
the latter sometimes only referred to herein as paper 
look-up service, PLS. The E-PLS distinguishes itself from 
the G-PiiS in that it, e.g., may be configured to only 

35 communicate within a local area network or to only 

communicate within the LAN and with one or more specific 
secondary E-PLSs outside the LAN. Such a secondary B-PLS 



Each enterprise service manages its own pens 207, 
217, 227, registered with the service and its own 
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may belong to the same enterprise or a different 
enterprise. Of course it is possible that the E-PL5 and a 
secondary B-PLS are connected to the same LAN or a same 
Wide Area Network. In Fig. 2, even though not depicted, 
5 B"PLS1 and E-ASl could be connected to a LAN. without any 
connections to any other servers, and, thus^ defining an 
enterprise's 201 own, isolated, version of the system 
infrastructure developed by the present applicant and as 
described above. As a further example, E-PLSl/ E-PLS2 and 
10 E-PLS3 could be the PLSs of respective parts of the same 
enterprise sharing the same LAN or having their own LAN's 
which are interconnected with each other. 

Another difference between an E-PLS and the Q«PLS is 
that it is the enterprise itself that is responsible for 
15 operation, maintenance/ support and administration of its 
own enterprise paper look-up server. Thus, the enterprise 
itself administers the database used for storing 
management rules related to its enterprise application 
services, registration and maintenance of its associated 
20 digital pens, availability of internal and external 
application services, access rights to internal and 
external application services etc» 

It is more efficient for an enterprise to use an E- 
PLS than to use a number of local paper look-up services - 
25 l£ the enterprise were to use a number of PCs executing 
local paper look-up services, access to general 
application services within the enterprise could only be 
accomplished with additional software on each client 
machine executing the local PLS, something which makes 
30 the system more difficult to support and administrate, in 
particular in terms of adding nodes or services in the 
system. 

Furthermore, by using local PLSs, there would be no 
simple way of accessing the enterprise services through 
35 any other node than the PC implementing the local PLS, 
something which would put limits on a pen user's 
possibility to connect to the internal network and access 
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an enterprise application service via a mobile station 
and a mobile communication networks In a manner a$ 
described above « 

Advantageously, the communication between a digital 
5 pen and an B-PLS is secure and based on, e.g., a 

symmetric encryption key that is unique for each pen. The 
E-^PLS is also arranged to be able to perform 
authentication of a digital pen- Similarly, the 
communication between different E-PLS, or possibly 
10 involving the G-PLS, is secure by means of encryption 

keys, and an E-PLS is able to authenticate another E«PLS. 

In figure 2, the possibility of connecting E-PLSs in 
a hierarchy has been illustrated. In this exernplified 
hierarchy, an B-PLS is able to communicate with the G-PLS 
15 over a firewall 240 and an external network in the form 
of the Internet 250, The E-PLSs of the hierarchy could 
belong to different enterprises or to different 
divisions/departments within the same enterprise. 

Fig. 3 shows an enterprise paper look-up eerver 300 
20 in accordance with an exemplifying eoibodiment of the 
invention. The E-PLS 300 shown in Fig. 3 may, e.g., be 
configured to execute either one of the enterprise paper 
look-up services E-PLS 1, E-PLS 2 or.E-PLS 3 in Fig. 2. 
The enterprise paper look-up server 300 include first 
r 25 storing means 310, interface means 320, 340, second 

interface means 330, second storing means 340 and 
\ processing means 350. 

' ' The processing means 350 executes a look-up service 

which, in correspondence with the operation of a G-PliS, 
30 operate to map a certain area of the coding pattern, such 
as the area defining an activation icon, to a network 
address^ such as a URL on an Intranet, for a certain 
application service. A database 360 accessed by the 
processing means is used for storing management rules and 
35 various data defining and controlling associations 
between different coded surface areas and different 
enterprise application services managed by E-PLS 300- The 
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database 360 also stores information eontrolllng'^which"^ 
pens that have the right to access which services. 

In a siirple configuration, the first storing means 
310 is implemented by means of a table in which an area 
address entry of the table corresponds to a specific URL 
of an application service associated with the area 
address. The table is either stored in a separate memory" 
circuit or in the database 360. For example, it is shown 
in Pig. 3 that the surface area defined by all pages of 
segment 1, shelf 2, book 4 (denoted 1.2.4.*) is 
associated with URLl, and that the specific page denoted 
1.2.5.2 Is associated with DHL 2. VRL 1 and URL 2 are the 
network addresses of application services executed by the 
same, or two different, enterprise application servers, 
connected to the same local enterprise network as the B- 
PLS 300, i.e. to the same Intranet or at least the same 
LAN. 

The interface means 320 is a device interface which 
is arranged to communicate with digital devices, e.g. 
20 digital pens. As described above, this communication uses 
a proprietary pen protocol, pp, which in turn usee the 
proprietary secure pen protocol, SPP, and the hypertext 
transfer protocol, http. Typically, this device interface 
is used by the E-PLS 300 for receiving requests from its 
registered digital pens, which requests include area 
addresses defining certain position coded areas, and for 
responding to the digital pens with information relating 
to application services associated with these area 
addresses, such information at least including the 
network address, such as an URL, to be used for accessing 
the service. This information may typically also include 
such things as what kind of data that the device is 
required to transmit to the application service in order 
for the service to be executed, e.g. user data stored in 
the device or data recorxSed from a certain writing 
surface area. 
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The interface means 340 is also known as an Inter 
PLS look-up interface and is used for coTnmunication 
between different PLSs. The Inter PLS look-up interface 
340 is in the figure depicted as including stored 

5 associations between different area addresses and E- 

PLS/G-PLS • In practice, these associations are stored by 
the second storing means being located anywhere in server 
3 00 and accessible by the processing means 350, either in 
a separate memory circuit or in the database 360. 

10 The E-PLS 300 uses the Inter PLS look-up interface 

340 when it cannot find an application service associated 
with an area address of a received request in the first 
storing means 310. The request is then routed to a second 
PLS, either another E-PLS or the G-PLS, in accordance 

IS with the associations stored by the second storing means 
340. The routing is performed by the processing means 350 
by way of operating on the second storing means 340. 
Thus, the combination of the processing means 350 and the 
second storing means 340 forms the routing means of the 

20 B-PLS 300 » The second storing means 340 may also include 
a network address of a default E-PLS to which a. request 
may be routed- This default E-PLS may constitute the only 
second B-PLS to which requests can be routed, or it can 
co-exist with other secondary PLSs and be used when there 

25 is no other secondary PLS that is associated with an area 
address of the request which is to be routed. 

Furthermore, the E-PLS may also receive requests 
over the Inter PLS look-up interface, which requests have 
been routed from another B-PLS, In the same way as when 

30 receiving a request over the device interface 320, the B- 
PLS 300 will check in the first storing means 310 for an 
application service associated with the area address of 
such a request from another E-PLS. If such application 
service is found, the network address thereof is returned 

35 to the requesting E-PLS. The E-PLS will also examine a 
list of E-PLS identities received in a request. These 
identities indicate which E-PLSs that have been traversed 
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by the request- If the E-PLS receiving the request finds 
its own identity in the list, this indicates that a loop 
has occurred among the E-PLSs. The request will then be 
denied, thereby resolving the loop. 

The parameters that the B-PLS 300 may receive in a 
request, or look-up request, over the Inter PLS look-up 
interface 340, and which has been routed from another B* 
PIiS, sire exemplified in the non-exhaustive list below. 



Request parameter 
requesterld 

transactionid 



penld 



visited Ids 



pageAddress 



maglcBoxId 



Description 

-the identity of the device. 

-the identity of tha trcmsactlon 
that triggered the recjuest. 

-the identity of the pen 
that triggered the request. 

-the identities of the PIjSs 
traversed by the request. 

-the page address derived 
from the pen stroke that 
triggered the request. 

-the identity of the activation 
icon in which pen stroke were 
made to trigger the request. 



The information that the E-PLS may return over the 
Inter PLS look-up interface 340 to the requesting B-PLS 
are exemplified in the non- exhaustive list below. 



35 Infojnnation element Description 
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stiatus 



5 name 



URL 



10 



security 



15 



ticket 
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-indicates statue of service, 
e.g. locked, not active, not 
found/ access denied. 

-the name of the service as 
presented to a pen user.. 

-the URL for the application 
service . 

-the level of security imposed 
by the application service, e.g. 
no security, or encryption with 
supplied key. 

-an authentication ticket if 
such security is required. 



key 



20 



-a public key used if security 
implies encryption. 



read 



25 



mand 



-data stored by the pen, so 
called pen properties, which the 
service can read» 

-mandatory pen properties that 
the service reopiires. 



liscensedPattem -a page address defining what 

30 surface area the service can 

read from. 

As is understood, the PLS associations stored in the 
second storing means 340 are configurable and will define 
35 the position of E-PLS 300 in a hierarchy of s-PLSs. Thus, 
by means of the second storing means and the Inter PLS 
look-up interface, E-PLS 300 may be configured to operate 
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B-PI.S2 or B-PIiS3 shown In Pig, 



as either one of S-PLSl^ 
2. 

The second interface means 330 is an Inter PLS 
system interface via which the E-PLS 300, e.g. at regular 
intervals, can ask its parent PLS for tenplate updates. 
For example, in the hierarchy in Pig. 1, e-PLS 2 is a 
parent PLS to B-pls i and to b-pls 3. This hierarchy is 
predefined upon configuration of the B-PLSs in the system 
by means of allocating, if desired, a parent PLS to an E- 
PLS. Upon receiving a response from the parent PLS over 
the same interface, the processing means 350 can extract 
e.g. new management rules or other new data which is to 
be stored in the first storing means 310 or the database 
360. The B-PLS 300 may also extract new values for data 
to be stored in a pen. which pen is updated with this 
data following its next request to the S-PLS 300 via the 
device interface 320. The parent PLS can be another B-PLS 
or the G-PLS. This enables the B-PLS 300 to also ask a 
parent PLS for an update with data of a coded surface 
area that it currently has knowledge of. 

Finally, the E-PLg 300 includes an b-pls 
administration interface 370 via which an enterprise 
maintains and controls its E-PLS 300. The contiol may 
relate to the settings of the second storing means 340 

»f«"'"^ '''^^ position of the B-PLS in the hierarchy 
of E-PLSs, the access to and from other B-PLSs, and bo 
on, xn addition to general E-PLS security management, to 
operator of the enterprise preferably performs the 
admanietration by means of a web application executing' 
within E-PLS 300. 

An exeii^jlifying mode of operation of the present 
invention will now be described with reference to Figs. 4 
and 5. Fig. 4 correspond to the same hierarchy of plSs as 

ri^^'!T^'^ "''^ "^'^"^"^^ embodiment of 

Pi0. 2, but with an illustration of the 

data/communication flow of the exei,«,lified operation now 
to be described. Fig. b shows a flow chart with a number 
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of operational steps, which flow chart illustrates some 
of the possible alternative flows that the operation of 
an E-PLS might tindertake according to various etnbodiTBenta 
thereof , 

5 The overall operation starts when a pen user xises 

his pen 207 and "ticks" an activation icon on a position 
coded surface which is associated with an enterprise 
service. The pen 207 encrypts the request^ except for the 
identity of the pen, using its own unique symmetrical 
10 cryptographic key, and sends the request to the E-PLS 
with which it is registered, also called the pen home 
PIiS, in this case to E-PLSl. 

The E-PLSi receives (step SI) the request from the 
pen and extracts a non- encrypted identity of the pen. it 
15 then uses the pen identity to retrieve the pen's 

symmetrical cryptographic key with which it decrypts 
(step S2) the rest of the request and extracts an 
included area address of the surface area that the ticked 
activation icon belongs to. The E-PLSl then checks (step 
20 S3) if the area address corresponds to a service in its 
list of managed enterprise application services B-ASl. 

If a corresponding service is found, the E-PLSl will 
check (step S4) if the requesting pen has a right to 
access the specific service. This check may, e.g., be 
25 performed by means of a stored two-dimensional matrix, 

formed by the digital pens registered with the E-PLSl and 
the services managed by the E-PLSi, which matrix stores 
indications of which pens that have the right to access 
which services. Either the pen has the right to access 
the service, in which case the E-PLSl will reply by 
sending (step S5) a URL for the service baok to the pen, 
or the pen does not have the right, in which case the B- 
PLSl respond (step 8d) to the pen with an access denied. 

Assuming in this exan?)le that there is no match in 
the list of services, the E-PLSi will then check (step 
S6) if the area address match a second PLS in its list of 
externally available PLSs. Alternatively, or if there is 



30 



35 
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no match, the B-PLSl may cheek (step S7) if there is an 
external available default PLS. If there 1b no available 
default PLS, the E-PLSl respond (step S9) to the pen with 
an acceea denied massage. However ^ if there is an 
externally available matching PLS or default PLS, it is 
checked (step S8) if the pen has the right to cause 
routing of a request to the matching or default PLS. Also 
this check may be performed by means of a two-dimensional 
matrix, which matrix is formed by the registered digital 
pens and the PLSs to which the B-PLSl is configured to be 
able to route a request. Should such routing not be 
allowed, the E-PLSl respond (step S9) to the pen with an 
access denied message. 

If routing to the matching or default PLs is 
15 allowed, the request is encrypted and routed (step SlO) 
to the matching second PLS (or the default PLS) . This 
request, or look-up request, includes the requesting E- 
PLSl's identity, the requesting pen's identity and the 
area address to which the activation icon belongs etc. In 
20 this case the B-PLS2 receives the request (once again 
step SI, but within the operation of E-PLS2) , decrypts 
and authenticates it (step S2) , and checks (step S3) if 
the area address correspond to a service in Its list of 
managed enterprise application services. Assuming there 
25 is a match, the B-PLS2 checks (step S8) that the service 
is not locked and that the requesting E-PLSi has the 
right to cause routing of a request to the matching 
enterprise application service E-AS2. The E-PLS2 then 
replies to the requesting E-PLSl with information that 
includes the URL for the notching service together with 
other information elements as described above with 
reference to Pig ,3. 

The requesting E-PLSl thus receives a response to 
its request from E-PLS2 (step Sll, again within the 
operation of B-PLSI) and sends a response to the 
requesting pen 207. The response tb the pen includes the 
URL for the matching service together with other 
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information rega^rding, e.g./ what kind of data that the 
device is required to t:ransinit to the application service 
in order for the service to be executed/ e.g. user data 
stored in the device or data recorded from a certain 
5 writing surface area. The pen 207 then uses the TJRL, and 
the other received information^ to send a request to the 
enterprise application service which service 

processes the request and replies to the pen 207. 

It is evident from the flow chart of Pig. 5, and 
10 from other parts of this invention diseloBu±e/ that a 

great number of alternative operation flows are possible 
while still falling within the scope of the appended 
claims and within the overall spirit and scope of the 
present invention. 

15 
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1. A method of responding to a request for access to 
an application service, the application service being 
deployed in a system that associates a specific area of a 
5 position coded svirface with an application service by 
means of an area address, the method including: 

providing a first enterprise paper look-up service 
which manages a confined set of one or more enterprise 
application services associated with respective area 
10 addresses ; 

receiving, from an originator, a request including 
an area address; and 

routing, based on the area address, the request to a 
second paper look-i^ service if the area address is not 
IS associated with an enterprise application service managed 
by the first enterprise paper look-i^ service. 



2. The method of claim 1, wherein the routing step 
includes the step of selecting a second paper look-up 
service, among a plurality of paper look-up services, 
that is associated with the area address of the request. 

3. The method as claimed in claim 2, wherein the 
selecting step is based on a step of matching the 

25 received area address with one of the area addresses 
which by the enterprise paper look-up service are 
associated with respective second paper look-up services. 



4. The method as claimed in any one of claims 1 - 3 
wherein the routing step includes the step of selecting 1 
second paper look-up service that defines a default paper 
look-up service. 



5. The method as claimed in any one of claims l - 4 
including checking, if the area address is associated 
With an enterprise application service managed by the 
first enterprise paper look-iq, service, that the 
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originator of the request has the right to access the 
enterprise application service, before enabling access to 
the service, 

5 6. The method as claimed in any one o£ claims 1 - 5, 

including checking that the originator of the request has 
the right to cause routing of a request to the second 
paper look-up service, wherein said routing step only is 
conqpleted if this right is confirmed. 

10 

7. The method as claimed in any one of claims 1^6, 
including s 

receiving a response from the second paper look-up 
services- 
is extracting information related to the application 
service associated with the area address from the 
response r and 

responding to the originator of the request by 
transferring said information to the originator. 

20 

8. The method as claimed in any one of claims 1-7, 
including determining that the originator is a digital 
device of the kind which is arranged to detect positions 
of the position coded surface, or a network connection 

25 unit in communication with such a digital device, which 
digital device is registered by the first enterprise 
paper look-up seirvice. 

9* The method as claimed in any one of claims 1-7, 
30 including determining that the originator is another 
enterprise paper look-up service. 

10, The method as claimed in any one of claims 7 - 
3r wherein the information include a network address 
35 designating the application service* 
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11. The method as claimed in claim 10, wherein the 
network address is designated by means of a Unifojcm 
Resource Iiocator. 

5 12. The methpd as claimed in any one of claims 7 - 

11, wherein the information include designations of 
mandatory data that the application service requires 

- ^ access to during its execution. 

10 13. The method as claimed in any one of claims 1 - 

12, wherein the second paper look-up service is another 
enterprise paper look-up service. 

14 . The method as claimed in any one of claims 1 - 
15 12, wherein the second paper look-up service is a global 
paper look-up service providing world wide services to 
enterprise paper look-up services operated by various 
organisations, such as enterprises or government 
authorities. 



20 



15- The method as claimed in any one of claims 1 - 
14 , wherein the first paper look-up service together with 
the second paper look-up service is included in a 
hierarchy of paper look-up services. 



25 



16. The method as claimed in any one of claims 1 - 
15, wherein the first enterprise paper look-up service 
performs the additional steps oft 

requesting a global paper look-up service to provide 
30 any template updates; and 

receiving a template update in response and 
extracting from the template update new management rules 
relating to at least one confined position coded surface 
area . 



35 



17. An enterprise paper look-up server for 
responding to a request for access to an application 
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service, the application service being deployed in a 
system that associates a specific area of a position 
coded surface with an application service by means of an 
area address, the enterprise server including £ 
S first storing means for storing associations between 

area addresses and respective enterprise application 
services defining a confined set of services managed by 
the enterprise server; 

interface means for receiving^ from an originator, a 

10 request including an area address; and 

routing means for routing, based on the area 
address, the request to a second paper look«-up server if 
the area address is not associated with an enterprise 
application service managed by the enterprise paper look* 

15 up service itself. 

18* The enterprise server as claimed in claim 17, 
Including: 

second storing means for storing associations 
20 between area addresses and respective second paper look- 
up servers; and 

processing means for selecting a specific second 
paper look-up service which is associated with the area 
address of the request. 



25 



30 



19* The enterprise server as claimed in claim 17 or 
18, wherein the processing means is arranged to select a 
second paper look«-up server that defines a default paper 
look-up server. 



20. The enterprise server as claimed in any one of 
claims 17 - 19, wherein the processing mesuns further is 
arranged for checking, if the area address is associated 
with an enterprise application service managed by the 
35 enterprise paper look-up service itself, that the 

originator of the request has the right to access the 
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enterprise application service, be£ore enabling access to 
the service. 

21. The enterprise server as claimed in any one of 
5 claims 17-20, wherein the processing means fxirther is 

arranged for checking that the originator of the request 
has the right to cause routing of a request to the second 
paper look-up server, before said routing means con^letes 
the routing of the request . 

10 

22. The enterprise server as claimed in any one of 
claims 17-21, wherein said interface means further is 
arranged for receiving a response with information from 
the second paper look-up server and for responding to the 

15 originator of the request by transferring said 
information to the originator. 



23. The enterprise server as claimed in any one of 
claims 17-22, wherein the processing means ftirther is 

20 arranged for determining that the originator is a digital 
device of the kind which is arranged to detect positions 
of the position coded surface, or a network connection 
unit in communication with such a digital device, which 
digital device is registered at the enterprise paper 

25 look-up server. 

2ft « The enterprise server as claimed in any one of 
claims 17-23, wherein the processing means iEurther is 
arranged for determining that the originator is another 
30 entearprise paper look-up server. 

2S. The enterprise server as claimed in any one of 
claims 22 - 24, wherein the information include a network 
address designating the application service. 

35 
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26. The enterprise server as claimed in claim 25 , 
wherein the network address is designated by means of a 
Uniform Resoiirce Locator. 

5 27. The enterprise server as claimed in any one of 

claims 22 - 23, wherein the information include 
designations of mandatory data that the application 
service requires access to during its execution. 

10 28. The enterprise server as claimed in any one of 

claims 17 - 27, wherein the second paper look-up server 
is another enterprise paper look-up server. 

29. The enterprise server as claimed in any one of 
claims 17 - 27, wherein the second paper look-up server 
is a global paper look-up server providing world wide 
services to enterprise paper look-up servers operated by 
various organisations, such as enterprises or government 
authorities. 

30. The enterprise server as claimed in any one of 
claims 17-29, wherein the first paper look-up server 
together with the second paper look-up server is included 
in a hierarchy of paper look-up servers. 

31. The enterprise server as claimed in any one of 
claims 17-30, wherein the first enterprise paper look- 
up server additionally includes: 

second interface means for requesting a global paper 
look-up service to provide any template updates and for 
receiving a template update in response thereto, 

wherein said processing means is arranged for 
extracting from the template update new management rules 
relating to at least one confined position coded surface 
35 area. 
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Abstract of the Invention 
The present invention relates to a method and a 
server for responding to a request £or access to an 
application service, which service is deployed in a 
5 system that associates specific areas of a position coded 
surface with corresponding application services. 
According to the invention, an enterprise paper look-up 
service E-PLSl is provided which manages a confined set 
of enterprise application services B-ASl associated with 

10 respective areas included by the overall position coded 
surface, ^en receiving a request that includes address 
Information of such an area, the enterprise paper look-up 
service B-PLS checks if the area address is associated 
with a service that the B-PLS manages. If this is not the 

15 case, the request is routed to a second paper look-up 
service E-PLS2. 



20 



25 



Elected for publications Pig- 2 



3. JAN2003 14:58 AWAPATENO468440955(^ NR 4627 S 30 

AWAPATENT ^ y 

f/5- 



?no3 -o^ 0 3 

Hwvudfcnnt KBwm 




nn. Hoxi w« -» » 



3.JAN2003 14:58 A)»APATENT_H68440955{^ 

AWMATENT JL/S' 

9 ' V ULtnM-odin8.iaitiBt 

2009 -01- 0 3 
HuvudfoMM Koant 




9 P^3-^ 



3JAN2003 U:59 AWAPATENT„H68440955(^ "''^ 



7no3 -01- 0 3 

MttwdfawOTKowon 



340 




1 



320- 



350- 



370 



360 



Device 
interface 



E-PLS 
Adm. 
Interface 



Inter PLS look- 
up interface 




Processor 



X 



Database 



Inter PLS system 
interface 




1.2.4* 


URLl 


1.2.5.2 


URL2 


1,2.5.7 


URL3 



FIG. 3 



3. JAN2003 U:59 



AWAPATENT_M68440955(^ 
lWAPATENT 



SI 



5/5 



4627 — S. 34 

lfd(.tPatBni-ochreg.wil(Bt 
')m -01- 0 3 

HuvudfOMm Kbhot 



Receive a request with an identity of Ihe originator 



S2 



Decrypt the request and extract an area address 

JL 



Check if area address correspond to an address 
associated with a managed application service 



S6 



Yes 



No 



S4 



Yes 



S5 



Check if ttie requesting originator 
has the right to access the service 



R^ly to originator with URL 
of service 



No 



Does the area address match an area address 
associated with a second paper look-i^ service? 



SB 



No 



Yes 



S7 



YesJIs there a defeult second 
service ? 



Check if the requesting originator has the right to cause 
routing of a request to tiie second paper look-iy service 



SIO 



Yes 



No 



Route the request to the 
second paper look-up service 



Sll 



I 



No 



Reply to origmator with an 
access denied message 



Receive a response with information from second paper 
look-up service and send reply to originator with received 
mfonnation 
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